Detailed attack pattern

Draft

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Last updated June 1, 2026

High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

11

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-59 (Session Credential Falsification through Prediction) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users.
- An attacker makes many anonymous connections and records the session IDs assigned.
- An attacker makes authorized connections and records the session tokens or credentials issued.
Step 2
Explore
[Characterize IDs] The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.
- Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
- Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
- Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

Step 3

Experiment

[Match issued IDs] The attacker brute forces different values of session ID and manages to predict a valid session ID.

The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

Step 4

Exploit

[Use matched Session ID] The attacker uses the falsified session ID to access the target system.

The attacker loads the session ID into their web browser and browses to restricted data or functionality.
The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.

What the attacker needs

Prerequisites

The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

Skills required

Low skill: There are tools to brute force session ID. Those tools require a low level of knowledge.
Medium skill: Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.

Consequences

What a successful CAPEC-59 attack can achieve.

Gain Privileges

Affects: Confidentiality, Access Control, Authorization

How to mitigate it

Defenses that reduce the risk of CAPEC-59.

Use a strong source of randomness to generate a session ID.
Use adequate length session IDs
Do not use information available to the user in order to generate session ID (e.g., time).
Ideas for creating random numbers are offered by Eastlake [RFC1750]
Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

Examples

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks. See also: CVE-2006-6969

mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. See also: CVE-2001-1534

Terminology & mappings

Mapped taxonomies

WASC: Credential/Session Prediction (18)
OWASP Attacks: Session Prediction

Frequently asked questions

Common questions about CAPEC-59.

What is CAPEC-59?

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

How does a Session Credential Falsification through Prediction attack work?

It typically unfolds over 4 phases. It begins with: [Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users.

How do you prevent CAPEC-59?

Use a strong source of randomness to generate a session ID.

What weaknesses does CAPEC-59 target?

CAPEC-59 exploits 11 CWE weaknesses, including CWE-6 (J2EE Misconfiguration: Insufficient Session-ID Length), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-285 (Improper Authorization), CWE-290 (Authentication Bypass by Spoofing).

How severe is CAPEC-59?

MITRE rates CAPEC-59 as High severity with high likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-59

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing